| Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
Add the API key for gandi to the secrest, create a profile for acme with
my defaults.
The profile is loaded by tahoe since that's where our services are
running on.
Update all the servers in nginx to listen on their wireguard interface.
|
|
|
|
I don't use GPG anymore and I don't read mail in Emacs anymore.
|
|
|
|
|
|
Coming from https://github.com/NixOS/nixos-hardware/blob/51559e691f1493a26f94f1df1aaf516bb507e78b/dell/xps/13-9300/default.nix
|
|
|
|
Without this I was seeing the following error:
```
Unknown key Settings in /home/fcuny/.config/gtk-3.0/settings.ini
```
And the configuration contained:
```
[Settings]
Settings=gtk-application-prefer-dark-theme=1
```
|
|
I was getting:
```
Error in configuration at CPU_SCALING_GOVERNOR_ON_AC="schedutil": governor not available. Skipped.
```
Restore to the previous configuration.
|
|
Easier on my eyes.
|
|
This is a major refactor, similar to what was done for the hosts, but in
a single commit.
|
|
|
|
|
|
This remove ssh on workstations. I also drop mosh since I don't use it.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The NAS and the router are "servers", and we create a base profile for
them.
We add a default profile that will set things that are common to all my
hosts, and we start with the locales.
Update tahoe/carmel to use the server profile.
|
|
|
|
|
|
|
|
There's too many moving parts and layers of abstractions, for no
benefits: I only have to manage 3-4 machines.
Going to create profiles, move things there, and stop with the `enable`
pattern.
|
|
This function produces a shell script with dependencies, set the PATH,
set some SHELLOPTS, and check the script with shellcheck.
|
|
This is to call restic on the nas from a remote machine. It sets
variables and run everything via sudo.
|
|
I'm not using rclone anymore and I'm not storing the backups to GCS
buckets either.
|
|
|
|
|
|
The NAS will rsync all the backups to rsync.net. This new module creates
a systemd unit and timer to do this task.
|
|
|
|
|
|
These keys are stable, they can be set on every hosts.
|
|
Backups are not synchronized with rclone to gcloud, but instead with
rsync to rsync.net.
|
|
The path to the restic repository has changed, and we are a bit more
specific about the paths we want to backup.
|
|
Configure correctly the systemd unit to run restic on aptos.
Be more specific about the paths we want to backup, instead of backing
up '/home' and maintaining a large exclusion list.
|
|
For a host to use a repository from a remote machine, we need to
configure options for the CLI. For this we add a new setting
`extraOptions` where we can define the sftp command.
Remove the setting for the user that will run restic, since it's always
'root' in our situation.
Clean some descriptions.
|
|
The dedicated account for backup should be named 'backup', as it's more
generic.
While it's a system account, I still need to be able to log in the host
remotely with sftp, so we give it a UID (991).
The account needs to be able to sftp to tahoe in order to store the
backups from remote hosts. However we don't want this user to get a
shell and be able to browse the host, so we configure sshd to chroot the
user to where the backups are stored.
|
|
|
|
|
|
|
|
This is the user I'll be using to do my backups. This is a system user,
and there's only one public key added to it. This key is only used for
backups and will be managed in this repository.
|
|
I'm not using anymore sourcegraph drone and gitea.
|
|
|
|
|
|
I don't want to have to deal with authentication and TLS certificates
for these endpoints. If they are only listening on the wireguard
interface I can trust that only authorized hosts are sending traffic to
these endpoints. I trust what's running on these machines.
|
|
This will help to organize and structure monitoring modules a bit
better.
|
|
|
|
|
|
This is now handled by
https://git.fcuny.net/monitoring/commit/?id=b4abbf2d86d06d243b639d06a576f542f3dd5824
|
|
This is way too verbose
|
|
|
|
No need to release the lease if we are rebooting.
|
|
|
|
|
|
It's now managed in https://git.fcuny.net/monitoring/
|
|
Bind to the wireguard interface, and use the port 8067 (67 is the port
used for DHCP requests).
|
|
The option `dhcp-script` can be used to run a script every time a new
lease is added or deleted. We configure this option to run the script
that generates a static HTML file with the leases.
|
|
Parse the file that contains all the leases assigned by dnsmasq, and
create a static HTML page from it. This can be served by nginx to make
it easy to see what IP is assigned to a machine, and which machines are
currently on the network.
|
|
|
|
|
|
|
|
|
|
|
|
This is managed in the tailscale module.
|
|
|
|
|
|
|
|
|
|
I'm not using it as a desktop, and the current router is getting old and
will likely fail in the near future. It's also a debian machine
configured manually, so let's reconfigure carmel as our new router.
There are three NICs in the host: 2 are 10Gb and one is 1Gb. The 1Gb
will be used as the upstream interface, and one of the 10Gb will be for
the LAN.
There are 2 VLANs to configure: one for IoT devices and one for guest.
|
|
|
|
|
|
I only need to run sway and the ssh-agent on a workstation (desktop or
laptop). Start these two processes when the window manager starts.
|
|
To prevent the unit to be triggered multiple times if the host has
already rebooted, we create a gate file when we're done running, and
before running, we check if the file exists.
Enable the service on tahoe.
Don't restart the unit when its definition has changed.
|
|
|
|
|
|
|
|
|
|
fractal requires the gnome key chain but I got rid of it.
|
|
- source code pro for monospace
- dejavu sans for sans serif
- dejavu serif for serif
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- add a comment for each ssh-key that is not stored on a yubikey
- simplify the git commit template
- remove some extra config that I don't need
|
|
I completely replaced the usage of `pass' with `passage'. There's no
need to keep a mapping file at this point, since my interaction with the
git server is through ssh.
|
|
|
|
|
|
This is a useful tool to know when I'm supposed to touch my
yubikey (sometimes I forget that some actions require that).
Also configure a systemd unit to run it, and configure it to send a
notification to the desktop (at the moment this is consumed by mako).
|
|
Turns out I don't need this one!
|
|
The code has moved to https://git.fcuny.net/dns-updater/
|
|
I do not need an agent anymore, since I don't need to decrypt anything
in GPG at this point!
|
|
|
|
We need to start the ssh agent (if needed) before we start sway.
|
|
Reports the number of systemd units (user and systems) that are in
failed state.
|
|
I keep running into issues when using fish: I'm not familiar with the
syntax and I don't use it enough that it sticks. I also need to google
stuff regularly to figure out how things are supposed to work. This is
annoying enough that the supposed benefits of fish are not worth it for
me.
|
|
This secret is not needed system wide, I only need it to run some tools.
|
|
Instead of using agenix for all the secrets, I can use homeage for
secrets that are related to my user sessions.
Secrets by default will be store under `~/.secrets'. They are encrypted
using `age' and to decrypt them, a key is expected to be located under
`~/.age/key.txt'.
The last place where I was using `pass' (and so GPG too) was for the
secrets for `mbsync': this change adds a secret for fastmail to the
repository and update `mbsync' configuration to use it.
|
|
I used the keyring only to start the GPG agent and unlock the ssh keys.
But since I'm storing the ssh keys on yubikeys and I don't use GPG, I
can remove it.
|
|
I need to be explicit about the path to the identity file.
Since I'm switching from pass to passage, I also want to disable the
automatic synchronization of the repository, and I don't need to have a
wrapper for git to push the secrets (I push through ssh now instead of
HTTPS).
|
|
Delete gnome's keyring documentation, I will not be using it anymore, so
no need to keep this around.
Add documentation about how to manage secrets, and clean up wireguard's
documentation.
|
|
|
|
This is using the public keys from:
- my user on my laptop
- the root user on tahoe
- the backup key stored on the USB drive
|
|
This is now using the public keys from various age keys:
- one for my user on the laptop
- one for the root user on the laptop
- one backup key stored on the USB drive
|
|
I'll re-key all my secrets with age keys instead of using ssh keys. This
change is to specify the path for the identities when agenix decrypts
the secrets.
|
|
|
|
See https://github.com/nix-community/home-manager/pull/3265
|
|
Flake lock file updates:
• Updated input 'agenix':
'github:ryantm/agenix/5f66c8aa774d8d488cba1cdc4f0c954d2a14e3a1' (2023-02-20)
→ 'github:ryantm/agenix/1abf0ade92bdf9dbcaa5155bb39e3ae19cb98aaa' (2023-03-04)
• Updated input 'emacs-overlay':
'github:nix-community/emacs-overlay/d7eeebd439b52b77958eb3d8043f3262701ddee2' (2023-02-20)
→ 'github:nix-community/emacs-overlay/2efd7c8d60ce0750097bbd327ec083e3ce545b31' (2023-03-04)
• Removed input 'gh-ssh-keys'
• Removed input 'gh-ssh-keys/crane'
• Removed input 'gh-ssh-keys/crane/flake-compat'
• Removed input 'gh-ssh-keys/crane/flake-utils'
• Removed input 'gh-ssh-keys/crane/nixpkgs'
• Removed input 'gh-ssh-keys/crane/rust-overlay'
• Removed input 'gh-ssh-keys/crane/rust-overlay/flake-utils'
• Removed input 'gh-ssh-keys/crane/rust-overlay/nixpkgs'
• Removed input 'gh-ssh-keys/flake-utils'
• Removed input 'gh-ssh-keys/nixpkgs'
• Removed input 'gh-ssh-keys/pre-commit-hooks'
• Removed input 'gh-ssh-keys/pre-commit-hooks/flake-utils'
• Removed input 'gh-ssh-keys/pre-commit-hooks/nixpkgs'
• Removed input 'gh-ssh-keys/rust-overlay'
• Removed input 'gh-ssh-keys/rust-overlay/flake-utils'
• Removed input 'gh-ssh-keys/rust-overlay/nixpkgs'
• Updated input 'home-manager':
'github:nix-community/home-manager/72ce74d3eae78a6b31538ea7ebe0c1fcf4a10f7a' (2023-02-20)
→ 'github:nix-community/home-manager/b9e3a29864798d55ec1d6579ab97876bb1ee9664' (2023-03-02)
• Removed input 'masked-emails'
• Removed input 'masked-emails/crane'
• Removed input 'masked-emails/crane/flake-compat'
• Removed input 'masked-emails/crane/flake-utils'
• Removed input 'masked-emails/crane/nixpkgs'
• Removed input 'masked-emails/crane/rust-overlay'
• Removed input 'masked-emails/crane/rust-overlay/flake-utils'
• Removed input 'masked-emails/crane/rust-overlay/nixpkgs'
• Removed input 'masked-emails/flake-utils'
• Removed input 'masked-emails/nixpkgs'
• Removed input 'masked-emails/pre-commit-hooks'
• Removed input 'masked-emails/pre-commit-hooks/flake-compat'
• Removed input 'masked-emails/pre-commit-hooks/flake-utils'
• Removed input 'masked-emails/pre-commit-hooks/gitignore'
• Removed input 'masked-emails/pre-commit-hooks/gitignore/nixpkgs'
• Removed input 'masked-emails/pre-commit-hooks/nixpkgs'
• Removed input 'masked-emails/pre-commit-hooks/nixpkgs-stable'
• Removed input 'masked-emails/rust-overlay'
• Removed input 'masked-emails/rust-overlay/flake-utils'
• Removed input 'masked-emails/rust-overlay/nixpkgs'
• Updated input 'naersk/nixpkgs':
'github:NixOS/nixpkgs/a1291d0d020a200c7ce3c48e96090bfa4890a475' (2023-02-19)
→ 'github:NixOS/nixpkgs/f5ffd5787786dde3a8bf648c7a1b5f78c4e01abb' (2023-03-03)
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/0cf4274b5d06325bd16dbf879a30981bc283e58a' (2023-02-19)
→ 'github:NixOS/nixpkgs/96e18717904dfedcd884541e5a92bf9ff632cf39' (2023-03-02)
• Updated input 'nur':
'github:nix-community/NUR/3c39aebcd09c9d6c257140e07f3d2beac4a83043' (2023-02-20)
→ 'github:nix-community/NUR/2860ab344d033a877e6a03f1c33cb4b7b5e05ddf' (2023-03-04)
• Updated input 'pre-commit-hooks':
'github:cachix/pre-commit-hooks.nix/c9495f017f67a11e9c9909b032dc7762dfc853cf' (2023-02-20)
→ 'github:cachix/pre-commit-hooks.nix/382bee738397ca005206eefa36922cc10df8a21c' (2023-03-03)
• Updated input 'rust':
'github:oxalica/rust-overlay/98f11700e398cf2ae6da905df56badc17e265021' (2023-02-20)
→ 'github:oxalica/rust-overlay/c25d3e1951863ac0061d47a3fabf9aa7c91db5e5' (2023-03-04)
• Removed input 'sendsms'
• Removed input 'sendsms/crane'
• Removed input 'sendsms/crane/flake-compat'
• Removed input 'sendsms/crane/flake-utils'
• Removed input 'sendsms/crane/nixpkgs'
• Removed input 'sendsms/crane/rust-overlay'
• Removed input 'sendsms/crane/rust-overlay/flake-utils'
• Removed input 'sendsms/crane/rust-overlay/nixpkgs'
• Removed input 'sendsms/flake-utils'
• Removed input 'sendsms/nixpkgs'
• Removed input 'sendsms/pre-commit-hooks'
• Removed input 'sendsms/pre-commit-hooks/flake-utils'
• Removed input 'sendsms/pre-commit-hooks/nixpkgs'
• Removed input 'sendsms/rust-overlay'
• Removed input 'sendsms/rust-overlay/flake-utils'
• Removed input 'sendsms/rust-overlay/nixpkgs'
• Removed input 'x509-tools'
• Removed input 'x509-tools/crane'
• Removed input 'x509-tools/crane/flake-compat'
• Removed input 'x509-tools/crane/flake-utils'
• Removed input 'x509-tools/crane/nixpkgs'
• Removed input 'x509-tools/crane/rust-overlay'
• Removed input 'x509-tools/crane/rust-overlay/flake-utils'
• Removed input 'x509-tools/crane/rust-overlay/nixpkgs'
• Removed input 'x509-tools/flake-utils'
• Removed input 'x509-tools/nixpkgs'
• Removed input 'x509-tools/pre-commit-hooks'
• Removed input 'x509-tools/pre-commit-hooks/flake-utils'
• Removed input 'x509-tools/pre-commit-hooks/nixpkgs'
• Removed input 'x509-tools/rust-overlay'
• Removed input 'x509-tools/rust-overlay/flake-utils'
• Removed input 'x509-tools/rust-overlay/nixpkgs'
|
|
I'm rewriting them in go and they are not ready to be used yet.
|
|
|
|
|
|
It's not working as I want, let's fix it first then we can enable it
again later.
|
|
It's not running anymore.
|
|
drone is not running anymore
|
|
Replace gitea with gitolite + cgit. I don't need a whole git forge for
myself, especially since I don't use most of the features.
The main thing I'm losing with this change is CI (via drone), but this
is not really a big loss for now.
|
